Japan has national botnet warriors; why don’t we?

October is Cybersecurity Awareness Month here in the United States, which is a good thing, because we come down with more PC botnet infections than any other country in the world. Microsoft reports 2.2 million US PCs hijacked for cybercrime or distributed denial of service (DDOS) attacks on websites in the first half of this year.

And in late September, police in the greater New York area busted over 60 members of a botnet ring whose plan was to deploy the Zeus Trojan to clean out banks.

Botnets "are the launch pad for much of today's criminal activity on the Internet," Microsoft security expert Adrienne Hall warned last week. "In many ways, they are the perfect base of operations for computer criminals."

So what's the government doing about botnets? The Federal Communications Commission is running a proceeding to identify the five most critical cybersecurity threats to the communications infrastructure and come up with solutions. And various bills are floating around Capitol Hill that would unify the nation's already hyperbalkanized cybersecurity apparatus, so Uncle Sam can think with one brain about the problem (Senator Lieberman's here; Senator Rockefeller's here).

These measures ought to bear fruit in the next geological era or two. But in the meantime, how about we do what Japan did and set up a national botnet fighter?

Cyber Clean does the usual good stuff, trying to raise public awareness about the dangers of bots. A "bot"—in case you've gotten this far and are still wondering—is a piece of downloadable malware that allows a remote user to control your computer. PCs often become bot zombies because their owner was "phished"—fooled into clicking an e-mail attachment designed to launch the infection.

Once in control of your computer, botnet baddies can follow your keystrokes or turn your machine into a DDoS attack weapon.

But the Cyber Clean operation goes a massive step further than public education. It searches for bot-infected PCs, then engages in a series of "attention rousing activities" to get the user to realize that her computer has been hijacked.

Stage one of the ongoing campaign involves the regular deployment of "honeypot" PCs, essentially decoys that are easy for botnets to find and infest. Once the honeypot picks up enough bot data, Cyber Clean engineers move to stage two: scouring the machine's log files for intelligence on actual users who have caught the infection.

In stage three, the relevant ISPs are alerted. They send those users an "attention rousing mail" directing them to a customized "bot deinfestation" website, where (in stage four) they receive downloads and instructions on how to clean their computer and prevent future attacks.

17 million bots

One aspect of Cyber Clean's online documentation that's a bit confusing is whether the operation sends out email or snail mail alerts, or both (the words "mail" and "email" seem to be used interchangeably). But the project's latest "activity report" says that, as of August, it has collected almost 17 million bot samples and deployed over half a million "attention rousing" messages.

An estimated 32.3 percent of users contacted actually go to their deinfestation page and download the relevant cleaning software, according to the organization. The campaign says it has counted 1,312,083 disinfectant downloads so far.

It's not like nobody's doing anything about bots in the US. Comcast has just deployed a new botnet alert system for its customers. And, of course, there are a wide variety of security guard systems available to consumers.

But in its filing with the FCC's cybersecurity proceeding, Microsoft seems skeptical that the botnet problem can be fixed on an individual level.

"For various reasons, the awareness and availability of security products does not always result in their deployment and maintenance and, ultimately, results in inadequate risk management," the commentary notes. "As a result, society needs to explore ways to implement collective defenses to help protect consumers who may be unaware that their computers have been compromised, and to reduce the risk that these comprised devices present to the ecosystem as a whole."

The software giant cites Cyber Clean as one of a number of international projects that have "had varying degrees of effectiveness." Maybe it's time to test its effectiveness here in the United States of Bots, too.

Matthew Lasar / Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz.